GoKawiilAn instant software update turned an adware program into an antivirus (AV) destroyer, priming nearly 24,000 computer systems on five continents for follow-on cyberattacks.
People tend to view adware, and other forms of potentially unwanted programs (PUPs), as little more than a lowly annoyance. It doesn't help that PUPs is such a cute acronym, and that the name "potentially unwanted programs" is an unnecessarily polite misnomer for what these programs actually are: malware, masquerading as legal software.
One threat actor, disguised as a corporation, did its best last year to show the world what these niggling programs are truly capable of. After infecting a couple tens of thousands of mildly annoyed individuals and organizations worldwide, it pushed a malicious update that turned its adware into straight-up malware. Thankfully, with $10 and a little bit of gumption, researchers at Huntress identified and sinkholed the malware's primary update domain, mitigating further damage.
Related:6-Year Ransomware Campaign Targets Turkish Homes & SMBs
Adware Campaign Turns Dangerous
The threat actor behind this campaign, Dragon Boss Solutions LLC, claims to be a registered company based in the United Arab Emirates (UAE). Its Crunchbase profile states that it "engages in research to find the best Search Monetization Solutions for Browser Extensions, Software and Desktop Applications," which is a fancy way of saying that it runs adware in browsers and apps. Its adware is typically flagged by antivirus (AV) programs, and about a year ago, its proprietors decided to do something to fix that.
Dragon Boss PUPs use a ubiquitous but surprisingly little-known program called "Advanced Installer" to organize all their files and such into a smooth installation process. One of Advanced Installer's most helpful features is its update tool, which automatically, periodically checks for new updates to Advanced Installer-packaged programs. In the early morning hours of March 22, 2025, Dragon Boss pushed an update to all its instances worldwide.
The payload concealed in that update was designed to disable security tools that recognize and flag Dragon Boss adware, including AVs from ESET, McAfee, Kaspersky, and Malwarebytes. For good measure, it also established persistence via scheduled tasks, arranged for any future payloads to be excluded from Windows Defender, and more. Huntress researchers speculated this payload may have been written with help from an artificial intelligence (AI) tool, as all of its malicious actions are neatly described in inline code comments.
Related:Hims Breach Exposes the Most Sensitive Kinds of PHI
By disabling AV solutions and establishing persistence, the adware could more effectively go about its business without interruption. Out of context, though, it looked just like a threat actor backdooring thousands of systems worldwide, setting the stage for follow-on cyberattacks. With another update, Dragon Boss could have easily uploaded ransomware, a botnet, or any other sort of malicious payload to infected systems.
... continue reading